Abstract

Communication protocols pose interesting and difficult challenges for verification technologies. The state spaces of interesting protocols are either infinite or too large for finite-state verification techniques like model checking and state exploration. Theorem proving is also not effective since the formal correctness proofs of these protocols can be long and complicated. We describe a series of protocol verification experiments culminating in a methodology where theorem proving is used to abstract out the sources of unboundedness in the protocol to yield a skeletal protocol that can be verified using model checking.

Our experiments focus on the Philips bounded retransmission protocol originally studied by Groote and van de Pol and by Helmink, Sellink, and Vaandrager. First, a scaled-down version of the protocol is analyzed using the Murø state exploration tool as a debugging aid and then translated into the PVS specification language. The PVS verification of the generalized protocol illustrates the difficulty of using theorem proving to verify infinite-state protocols. Some of this difficulty can be overcome by extracting a finite-state abstraction of the protocol that preserves the property of interest while being amenable to model checking. We compare the performance of Murø, SMV, and the PVS model checkers on this reduced protocol.

Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Sam Owre (SRI) has assisted with the use of PVS and suggested several improvements to the paper. Sreeranga Rajan (SRI) was instrumental in integrating the mu-calculus model checker (built by Geert Janssen of Eindhoven University of Technology) into PVS. SeungJoon Park of Stanford University implemented the Murø-to-PVS translator. David Cyrluk (SRI and Stanford University) sped up parts of the PVS equality decision procedure. Ken McMillan (Cadence Labs) suggested that we examine forward reachability as a way of obtaining efficiency from the PVS model checker. We are also grateful to John Rushby (SRI) for facilitating Klaus Havelund's visit to SRI, and to Therese Hardin (LITP) for providing a stimulating environment at LITP in Paris.

Supported by a European Community HCM grant, with origin institution being DIKU, Institute of Computer Science, University of Copenhagen, Denmark.

Supported by NSF Grant CCR-930044 and by ARPA through NASA Ames Research Center under Contract NASA-NAG-2-891 (ARPA Order A721).